Security Workshop (Part 2) - Apan


Dec 4, 2013 (4 years and 7 months ago)


Network Security

BUSAN 2003

Saravanan Kulanthaivelu

Security Audit

"The world isn

t run by weapons anymore, or
energy, or money. It

s run by little ones and
zeros, little bits of data... There

s a war out
there... and it

s not about who

s got the most
bullets. It

s about who controls the

Federation of American Scientists

Intelligence Resource Program

Workshop Outline (2)

Security Audit

Intrusion Detection

Incident Response


We already have firewalls in place. Isn't
that enough?

We did not realize we could get security
audits. Can you really get security audits,
just like financial audits?

We have already had a security audit.
Why do we need another one?


Firewalls and other devices are simply tools to
help provide security. They do not, by
themselves, provide security. Using a castle as
an analogy, think of firewalls and other such
tools as simply the walls and watch towers.
Without guards, reports, and policies and
procedures in place, they provide little

Security audits, like financial audits should be
performed on a regular basis.

Security Audit

security audit

is a policy
based assessment of
the procedures and practices of a site, assessing
the level of risk created by these actions

A assessment process, which will develop
systems and procedures within an organization,
create awareness amongst the employees and
users and ensure compliance with legislation
through periodic checking of processes,
constituents and documentation.

Why Audit?

Determine Vulnerable Areas

Obtain Specific Security Information

Allow for Remediation

Check for Compliance

Ensure Ongoing Security

To ensure that the site’s
networks and systems are
efficient and foolproof

Who needs security auditing?

A security audit is necessary for every
organization using the Internet.

A ongoing process that must be tried
and improved to cope up with the
changing and challenging

Should not be feared of being audited.
Audit is good practice.

Audit Phases

External Audit

Public information collection

External Penetration

destructive test

Destructive test

Internal Audit

Confidential information collection

Security policy reviewing


Environment and Physical Security

Internal Penetration

Change Management


Audit Phases

Hackers view of the network

Simulate attacks from outside

time snapshots

Can NEVER be 100%

External Audit
Information Gathering

Search for information about the target and its
critical services provided on the Internet.

Network Identification

Identify IP addresses range owned/used

Network Fingerprinting

Try to map the network topology

Perimeter models identifications

OS & Application fingerprinting

OS finger printing

Port scanning to define services and application

Banner grabbing

External Audit


Do not make

changes to the systems or

Do not impact processing capabilities by
running scanning/ testing tools during business
hours or during peak or critical periods

Always get permission before testing

Be confidential and trustworthy

Do not perform unnecessary attacks

External Audit

Plan the penetration process

Search for vulnerabilities for information gathered and obtain
the exploits

Conduct vulnerabilities assessments (ISO 17799)

destructive test

Scans / test to confirm vulnerabilities

Make SURE not harmful

Destructive test

Only for short term effect (DDOS….)

Done from various locations

Done only off
peak hours to confirm effect

Record everything

Save snapshots and record everything for every test done even
it returned false result

Watch out for HONEYPOTS

Internal Audit

Conducted at the premises

A process of hacking with full knowledge of the
network topology and other crucial

Also to identify threats within the organization

Should be 100% accurate.

Must be cross checked with external
penetration report.

Internal Audit
Policy review

starts with the
security policy

If there is no
policy, there is
not need of
security audit.



Procedures, Guidelines

& Practices

Internal Audit
Policy review

Policies are studied properly and classified

Identify any security risk exist within the policy

Interview IT staffs to gain proper
understanding of the policies

Also to identify the level of implementation of
the policies.

Internal Audit

Discussion of the network topology

Placement of perimeter devices of routers and

Placement of mission critical servers

Existence of IDS


Internal Audit
Environment &
Physical Security

Locked / combination / card swipe doors

Temperature / humidity controls

Neat and orderly computing rooms

Sensitive data or papers laying around?

Fire suppression equipment

UPS (Uninterruptible power supply)

Section 8.1 of the ISO 17799
document defines the concepts of
secure area, secure perimeter and
controlled access to such areas.

Internal Audit

For Internal penetration test, it can divided to few


Perimeter devices

Servers and OS

Application and services

Monitor and response

Find vulnerabilities and malpractice in each

Internal Audit

Location of devices on the network

Redundancy and backup devices

Staging network

Management network

Monitoring network

Other network segmentation

Cabling practices

Remote access to the network

Internal Audit
Perimeter Devices

Check configuration of perimeter devices like



Wireless AP/Bridge

RAS servers

VPN servers

Test the ACL and filters like egress and ingress

Firewall rules

Configuration Access method

Logging methods

Internal Audit
Server & OS

Identify mission critical servers like
DNS,Email and others..

Examine OS and the patch levels

Examine the ACL on each servers

Examine the management control
acct &

Placement of the servers

Backup and redundancy

Internal Audit
Application &

Identify services and application running on the
critical mission servers.Check vulnerabilities for the
versions running.Remove unnecessary


Name services(BIND)






Internal Audit
Monitor &

Check for procedures on

Event Logging and Audit

What are logged?

How frequent logs are viewed?

How long logs are kept?

Network monitoring

What is monitored?

Response Alert?

Intrusion Detection

IDS in place?

What rules and detection used?

Incident Response

How is the response on the attack?

What is recovery plan?

Follow up?

Internal Audit
Analysis and

Analysis result

Check compliance with security policy

Identify weakness and vulnerabilities

Cross check with external audit report


key to realizing value

Must be 2 parts

Not technical (for management use)

Technical (for IT staff)

Methodology of the entire audit process

Separate Internal and External

State weakness/vulnerabilities

Suggest solution to harden security


More Tools….






RAT (Router Audit Tool)

Retina scan tools


Defacto Standard

Even in matrix , nmap was used

Intrusion Detection

Intrusion Detection is the process of monitoring
computer networks and systems for violations
of security.

An Intrusion

any set of actions that attempt
to compromise the integrity,confidentially or
availability of a resource.

All intrusion are defined relative to a security

Security policy defines what is permitted and what
is denied on a network/system

Unless you know what is and is not permitted, its
pointless to attempt to catch intrusion

Intrusion Detection

Manual Detection

Check the log files for unusual behavior

Check the setuid and setgid of files

Check important binaries

Check for usage of sniffing programs

Automatic (partially??)

Intrusion Detection Systems

Intrusion Detection Systems


To detect intrusion real time and respond to it

False positive

No intrusion but alarm

Too many make your life miserable

False negative

Intruder not detected

System is compromised

Intrusion Detection

Misuse Detection

The most common technique, where incoming/outgoing traffic is
compared against well
known 'signatures'. For example, a large
number of failed TCP connections to a wide variety of ports
indicate somebody is doing a TCP port scan

Anomaly Detection

Uses statistical analysis to find changes from baseline behavior
(such as a sudden increase in traffic, CPU utilization, disk activity,
user logons, file accesses, etc.). This technique is weaker than
signature recognition, but has the benefit that can catch attacks for
which no signature exists. Anomaly detection is mostly a
theoretical at this point and is the topic of extensive research

Intrusion Detection

Misuse Detection

Detect Known Attack Signatures


Low False Positive Rate


Only Known Attacks

Costs for Signature Management

Anomaly Detection

Learn Normal Profiles from User and System Behavior

Detect Anomaly


Detect Unknown Attacks


Difficulty of Profiling

Profile can be controlled by intruders

High false positive rate

Network IDS

Uses network packets as the data source

Searches for patterns in packets

Searches for patterns of packets

Searches for packets that shouldn't be there

May ‘understand’ a protocol for effective
pattern searching and anomaly detection

May passively log, alert with
SMTP/SNMP or have real
time GUI

Network IDS Strength

Lower cost of ownership

Fewer detection points required

Greater view

More manageable

Detects attacks that host
based systems miss

IP based Denial of Service

Packet or Payload Content

More difficult for an attacker to remove evidence

Uses live network traffic

Captured network traffic

Network IDS Strength

Real time detection and response

Faster notification and responses

Can stop before damage is done (TCP reset)

Detects unsuccesful attacks and malicious intent

Outside a DMZ

See attempts blocked by firewall

Critical information obtained can be used on policy

Operating system independence

Does not require information from the target OS

Does not have to wait until the event is logged

No impact on the target

Network IDS Limitations

Obtaining packets

topology & encryption

Number of signatures

Quality of signatures


Network session integrity

Understanding the observed protocol

Disk storage

Host Based IDS

Signature log analysis

application and system

File integrity checking

MD5 checksums

Enhanced Kernel Security

API access control

Stack security

Some products listen to port activity and alert
administrator when specific ports are

Host IDS Strength

Verifies success or failure of an attack

Log verification

Monitors specific system activities

File access

Logon / Logoff activity

Account changes

Policy changes

Detects attacks that network
based IDS may miss

Keyboard attacks

Force logins

Host Based IDS Limitations

Places load on system

Disabling system logging

Kernel modifications to avoid file integrity
checking (and other stuff)

Management overhead

Network IDS Limitations

Characteristic of a Good IDS

Impose minimal overhead

Does not slowdown the system

Observe deviations from normal behavior

Easily tailored to any system

Cope with changing system behavior over
time as applications are being added

High adaptation

Network Honeypots

Sacrificial system(s) or sophisticated

Any traffic to the honeypot is considered

If a scanner bypassed the NIDS, HIDS and
firewalls, they still may not know that a
Honeypot has been deployed

Network Honeypots





Some IDS


Real Secure by ISS

VCC/Tripwire TM


NetRanger by Wheelgroup


Snort (

Incident Response

Incident: An action likely to lead to
grave consequences

Data loss may lead to commercial loss.

Confidentiality breached.

Political issues…

Network breakdown lead to service and
information flow disruption.

Many more..

Incident Response

Response: An act of responding.

Something constituting a reply or a reaction.

The activity or inhibition of previous activity of an organism or
any of its parts resulting from stimulation

The output of a transducer or detecting device resulting from a
given input.

Ideally Incident Response would be a set of policies that allow an
individual or individuals to react to an incident in an efficient and
professional manner thereby decreasing the likelihood of grave

ISO 17799

Outlines Comprehensive Incident Response and Internal
Investigation Procedures

Detailed Provisions on Computer Evidence Preservation and

Minimize overall impact

Hide from public scrutiny.

Stop further progression.

Involve Key personnel.

Control situation.

Incident Response


Minimize overall impact

Recover Quickly & Efficiently.

Respond as if going to prosecute.

If possible replace system with new one.

Priority one, business back to normal.

Ensure all participants are notified.

Record everything.

Incident Response


Minimize overall impact

Recover Quickly & Efficiently.

Secure System.

Lock down all known avenues of attack.

Assess system for unseen vulnerabilities.

Implement proper auditing.

Implement new security measures.

Incident Response


Minimize overall impact

Recover Quickly & Efficiently.

Secure System.

up (A continuous process)

Ensure that all systems are secure.

Continue prosecution.

Securely store all evidence and notes.

Distribute lessons learned.

Incident Response


Incident Verification

How are we certain that an incident

Verify the Incident!

Where to find information?

Intrusion Logs

Firewall Logs


Emails, Network Admin, Users, ISP, etc…

Verification: What do we

Three situations

1. Verification without touching the system

2. Verification by touching the system
minimally. You have a clue or two where to

3. Verification by full analysis of live system
to find any evidence that an incident has

Secure Incident Scene

What exactly does this mean?

Limit the amount of activity on the system to
as little as possible

Limit damage by isolating

ONE person perform actions

Limit affecting the crime environment

Record your actions

Preserve Everything!

Anything and everything you do will
change the state of the system

POWER OFF? Changes it.

Leave it plugged in? Changes it.

Obtaining a backup will change the system

Unplug the network? Changes it.

Doing Nothing

will ALSO change the
state of the system.

Incident Scene Snapshot

Record state of computer

Photos, State of computer, What is on the screen?

What is obviously running on the screen?



Should you port scan the affected computer?

Pros: You can see all active and listening ports

Cons: It affects the computer and some backdoors log how
many connections come into them and could tip off the bad

Unplug power from system?

This method may be the most damaging to
effective analysis though there are some
benefits as well

Benefits include that you can now move the
system to a more secure location and that you
can physically remove the hard drive from the

Cons… you lose evidence of all running
processes and memory

Unplug from Network?

Unplug from the network?

Unplug it from the network and plug the
distant end into a small hub that is not
connected to anything else.

Most systems will write error messages into
log files if not on a network.

If you make the computer think it is still on
a network, you will succeed in limiting the
amount of changes to that system.

Backup or Analyze?

Should you backup the system first?

Should you find the extent of the damage?

Set up in policy for your incident response:

It depends on the system and what you need it for.

To get BEST evidence BACKUP first at the cost of
time to get answers

To get FAST answers ANALYZE first at the cost of
getting best evidence

Label systems with priority. Some will need answers
quicker than your ability to get best evidence.

Finding Clues

Once backup is done start looking for clues

Be careful to avoid tampering with the
system when it is in the middle of a backup.

Even though the emphasis might be to
quickly assess the WHAT of a situation, if
you try and answer that question without
preserving the scene of the crime you will
inadvertently erase the evidence you seek

Be patient. It’s meticulous

Finding Clues

What are we really looking for?






We need to find one clue, and once we do,
everything else almost always falls into

What Next?


Apply short
term solutions to contain
an intrusion

Eliminate all means of intruder access

Return systems to normal operation

Identify and implement security lessons

Useful Links

Incident Response Resources

Incident Response, Electronic Discovery, and Computer Forensics,

Security Focus,

The Federal Computer Incident Response Center (FedCIRC) ,

The Canadian Office of Critical Infrastructure Protection and Emergency

Incident Handling Links & Documents (75 links)

SEI: Handbook for Computer Security Incident Response Teams

CERT/CC: Computer Security Incident Response

CERT/CC: Responding to Intrusions

AuCERT: Forming an Incident Response Team


White Papers

Information Security Management: Understanding
ISO 17799

Microsoft IIS Unicode Exploit

Worrisome New Windows Attacks

PKI: How it Works

IPSec: What Makes it Work

Funny things happen! Beware

Thank You